Accepting request 524782 from home:pmonrealgonzalez:branches:network:utilities

- Disabled ikev2pI2 test that fails on some architectures * Added patch tcpdump-ikev2pI2.patch - Update to version 4.9.2 [bsc#1057247] * Security fixes: - CVE-2017-11108 segfault in STP decoder - Segfault in ESP decoder with OpenSSL 1.1 - CVE-2017-11543 buffer overflow in SLIP decoder - CVE-2017-13011 buffer overflow in bittok2str_internal() - CVE-2017-12989 infinite loop in the RESP parser - CVE-2017-12990 infinite loop in the ISAKMP parser - CVE-2017-12995 infinite loop in the DNS parser - CVE-2017-12997 infinite loop in the LLDP parser - CVE-2017-11541 buffer over-read in safeputs() - CVE-2017-11542 buffer over-read in PIMv1 decoder - CVE-2017-12893 buffer over-read in the SMB/CIFS parser - CVE-2017-12894 buffer over-read in several protocol parsers - CVE-2017-12895 buffer over-read in the ICMP parser - CVE-2017-12896 buffer over-read in the ISAKMP parser - CVE-2017-12897 buffer over-read in the ISO CLNS parser - CVE-2017-12898 buffer over-read in the NFS parser - CVE-2017-12899 buffer over-read in the DECnet parser - CVE-2017-12900 buffer over-read in the in several protocol parsers - CVE-2017-12901 buffer over-read in the EIGRP parser - CVE-2017-12902 buffer over-read in the Zephyr parser - CVE-2017-12985 buffer over-read in the IPv6 parser - CVE-2017-12986 buffer over-read in the IPv6 routing header parser - CVE-2017-12987 buffer over-read in the 802.11 parser - CVE-2017-12988 buffer over-read in the telnet parser - CVE-2017-12991 buffer over-read in the BGP parser OBS-URL: https://build.opensuse.org/request/show/524782 OBS-URL: https://build.opensuse.org/package/show/network:utilities/tcpdump?expand=0&rev=43
2017-09-13 12:03:36 +00:00 · 2017-09-13 12:03:36 +00:00 · 1ee961a873
commit 1ee961a873
parent 8e39dc6910
8 changed files with 131 additions and 138 deletions
--- a/tcpdump-4.9.1.tar.gz
+++ b/tcpdump-4.9.1.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f9448cf4deb2049acf713655c736342662e652ef40dbe0a8f6f8d5b9ce5bd8f3
-size 1258108
--- a/tcpdump-4.9.1.tar.gz.sig
+++ b/tcpdump-4.9.1.tar.gz.sig
--- a/tcpdump-4.9.2.tar.gz
+++ b/tcpdump-4.9.2.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:798b3536a29832ce0cbb07fafb1ce5097c95e308a6f592d14052e1ef1505fe79
+size 2298386
--- a/tcpdump-4.9.2.tar.gz.sig
+++ b/tcpdump-4.9.2.tar.gz.sig
--- a/tcpdump-ikev2pI2.patch
+++ b/tcpdump-ikev2pI2.patch
@ -0,0 +1,20 @@
+Index: tcpdump-4.9.2/tests/crypto.sh
+===================================================================
+--- tcpdump-4.9.2.orig/tests/crypto.sh
+++ tcpdump-4.9.2/tests/crypto.sh
+@@ -72,15 +72,6 @@ then
+ 			echo $failed >.failed
+ 			exitcode=1
+ 		fi
+-		if ./TESTonce ikev2pI2 ikev2pI2.pcap ikev2pI2.out '-E "file ikev2pI2-secrets.txt" -v -v -v -v'
+-		then
+-			passed=`expr $passed + 1`
+-			echo $passed >.passed
+-		else
+-			failed=`expr $failed + 1`
+-			echo $failed >.failed
+-			exitcode=1
+-		fi
+ 		if ./TESTonce isakmp4 isakmp4500.pcap isakmp4.out '-E "file esp-secrets.txt"'
+ 		then
+ 			passed=`expr $passed + 1`
--- a/tcpdump-reverted-test-scripts-fix.patch
+++ b/tcpdump-reverted-test-scripts-fix.patch
@ -1,131 +0,0 @@
-From 68cc39dd64688829be2632d9cd24f7efa3da79bb Mon Sep 17 00:00:00 2001
-From: Denis Ovsienko <denis@ovsienko.info>
-Date: Thu, 13 Jul 2017 21:07:13 +0100
-Subject: [PATCH] Fix a bug in test scripts (exposed in GH #613).
-
-crypto.sh ran its tests as expected but only indicated a failure
-upstream when the last test failed. Add necessary checks and modify
-the other "complex" tests in a similar manner to make sure the same
-bug does not creep into these scripts later. Fix some indentation
-while at it.
---
- tests/crypto.sh             | 12 ++++++++++++
- tests/isis-seg-fault-1-v.sh |  6 +++++-
- tests/lmp-v.sh              |  7 ++++++-
- tests/nflog-e.sh            |  7 ++++++-
- 4 files changed, 29 insertions(+), 3 deletions(-)
-
-diff --git a/tests/crypto.sh b/tests/crypto.sh
-index 3aa29caa..5e295957 100755
--- a/tests/crypto.sh
-+++ b/tests/crypto.sh
-@@ -1,12 +1,17 @@
- #!/bin/sh
- 
-+exitcode=0
-+
- # Only attempt OpenSSL-specific tests when compiled with the library.
- 
- if grep '^#define HAVE_LIBCRYPTO 1$' ../config.h >/dev/null
- then
- 	./TESTonce esp1 02-sunrise-sunset-esp.pcap esp1.out '-E "0x12345678@192.1.2.45 3des-cbc-hmac96:0x4043434545464649494a4a4c4c4f4f515152525454575758"'
-+	[ $? -eq 0 ] || exitcode=1
- 	./TESTonce esp2 08-sunrise-sunset-esp2.pcap esp2.out '-E "0x12345678@192.1.2.45 3des-cbc-hmac96:0x43434545464649494a4a4c4c4f4f51515252545457575840,0xabcdabcd@192.0.1.1 3des-cbc-hmac96:0x434545464649494a4a4c4c4f4f5151525254545757584043"'
-+	[ $? -eq 0 ] || exitcode=1
- 	./TESTonce esp3 02-sunrise-sunset-esp.pcap esp1.out '-E "3des-cbc-hmac96:0x4043434545464649494a4a4c4c4f4f515152525454575758"'
-+	[ $? -eq 0 ] || exitcode=1
- 	# Reading the secret(s) from a file does not work with Capsicum.
- 	if grep '^#define HAVE_CAPSICUM 1$' ../config.h >/dev/null
- 	then
-@@ -18,10 +23,15 @@ then
- 		printf "$FORMAT" isakmp4
- 	else
- 		./TESTonce esp4 08-sunrise-sunset-esp2.pcap esp2.out '-E "file esp-secrets.txt"'
-+		[ $? -eq 0 ] || exitcode=1
- 		./TESTonce esp5 08-sunrise-sunset-aes.pcap esp5.out '-E "file esp-secrets.txt"'
-+		[ $? -eq 0 ] || exitcode=1
- 		./TESTonce espudp1 espudp1.pcap espudp1.out '-nnnn -E "file esp-secrets.txt"'
-+		[ $? -eq 0 ] || exitcode=1
- 		./TESTonce ikev2pI2 ikev2pI2.pcap ikev2pI2.out '-E "file ikev2pI2-secrets.txt" -v -v -v -v'
-+		[ $? -eq 0 ] || exitcode=1
- 		./TESTonce isakmp4 isakmp4500.pcap isakmp4.out '-E "file esp-secrets.txt"'
-+		[ $? -eq 0 ] || exitcode=1
- 	fi
- else
- 	FORMAT='    %-35s: TEST SKIPPED (compiled w/o OpenSSL)\n'
-@@ -34,3 +44,5 @@ else
- 	printf "$FORMAT" ikev2pI2
- 	printf "$FORMAT" isakmp4
- fi
-+
-+exit $exitcode
-diff --git a/tests/isis-seg-fault-1-v.sh b/tests/isis-seg-fault-1-v.sh
-index fc7bddd4..57965e8e 100755
--- a/tests/isis-seg-fault-1-v.sh
-+++ b/tests/isis-seg-fault-1-v.sh
-@@ -4,6 +4,7 @@
- # may produce a slightly different result if the compiler is not GCC.
- # Test only with GCC (similar to GitHub issue #333).
- 
-+exitcode=0
- test_name=isis-seg-fault-1-v
- 
- if [ ! -f ../Makefile ]
-@@ -11,7 +12,10 @@ then
- 	printf '    %-35s: TEST SKIPPED (no Makefile)\n' $test_name
- elif grep '^CC = .*gcc' ../Makefile >/dev/null
- then
-  ./TESTonce $test_name isis-seg-fault-1.pcap isis-seg-fault-1-v.out '-v'
-+	./TESTonce $test_name isis-seg-fault-1.pcap isis-seg-fault-1-v.out '-v'
-+	[ $? -eq 0 ] || exitcode=1
- else
- 	printf '    %-35s: TEST SKIPPED (compiler is not GCC)\n' $test_name
- fi
-+
-+exit $exitcode
-diff --git a/tests/lmp-v.sh b/tests/lmp-v.sh
-index d26760d0..2d018864 100755
--- a/tests/lmp-v.sh
-+++ b/tests/lmp-v.sh
-@@ -6,6 +6,8 @@
- # GCC build and must reproduce correctly on any other GCC build regardless of
- # the architecture.
- 
-+exitcode=0
-+
- # A Windows build may have no file named Makefile and also a version of grep
- # that won't return an error when the file does not exist. Work around.
- if [ ! -f ../Makefile ]
-@@ -13,7 +15,10 @@ then
- 	printf '    %-35s: TEST SKIPPED (no Makefile)\n' 'lmp-v'
- elif grep '^CC = .*gcc' ../Makefile >/dev/null
- then
-  ./TESTonce lmp-v lmp.pcap lmp-v.out '-T lmp -v'
-+	./TESTonce lmp-v lmp.pcap lmp-v.out '-T lmp -v'
-+	[ $? -eq 0 ] || exitcode=1
- else
- 	printf '    %-35s: TEST SKIPPED (compiler is not GCC)\n' 'lmp-v'
- fi
-+
-+exit $exitcode
-diff --git a/tests/nflog-e.sh b/tests/nflog-e.sh
-index a8a67f00..5b002bf1 100755
--- a/tests/nflog-e.sh
-+++ b/tests/nflog-e.sh
-@@ -1,10 +1,15 @@
- #!/bin/sh
- 
-+exitcode=0
-+
- # NFLOG support depends on both DLT_NFLOG and working <pcap/nflog.h>
- 
- if grep '^#define HAVE_PCAP_NFLOG_H 1$' ../config.h >/dev/null
- then
-  ./TESTonce nflog-e nflog.pcap nflog-e.out '-e'
-+	./TESTonce nflog-e nflog.pcap nflog-e.out '-e'
-+	[ $? -eq 0 ] || exitcode=1
- else
- 	printf '    %-35s: TEST SKIPPED (compiled w/o NFLOG)\n' 'nflog-e'
- fi
-+
-+exit $exitcode
--- a/tcpdump.changes
+++ b/tcpdump.changes
@ -1,3 +1,107 @@
+-------------------------------------------------------------------
+Tue Sep 12 15:23:04 UTC 2017 - pmonrealgonzalez@suse.com
+
+- Disabled ikev2pI2 test that fails on some architectures
+  * Added patch tcpdump-ikev2pI2.patch
+
+-------------------------------------------------------------------
+Tue Sep 12 14:51:00 UTC 2017 - pmonrealgonzalez@suse.com
+
+- Update to version 4.9.2 [bsc#1057247]
+  * Security fixes:
+    - CVE-2017-11108 segfault in STP decoder
+    - Segfault in ESP decoder with OpenSSL 1.1
+    - CVE-2017-11543 buffer overflow in SLIP decoder
+    - CVE-2017-13011 buffer overflow in bittok2str_internal()
+    - CVE-2017-12989 infinite loop in the RESP parser
+    - CVE-2017-12990 infinite loop in the ISAKMP parser
+    - CVE-2017-12995 infinite loop in the DNS parser
+    - CVE-2017-12997 infinite loop in the LLDP parser
+    - CVE-2017-11541 buffer over-read in safeputs()
+    - CVE-2017-11542 buffer over-read in PIMv1 decoder
+    - CVE-2017-12893 buffer over-read in the SMB/CIFS parser
+    - CVE-2017-12894 buffer over-read in several protocol parsers
+    - CVE-2017-12895 buffer over-read in the ICMP parser
+    - CVE-2017-12896 buffer over-read in the ISAKMP parser
+    - CVE-2017-12897 buffer over-read in the ISO CLNS parser
+    - CVE-2017-12898 buffer over-read in the NFS parser
+    - CVE-2017-12899 buffer over-read in the DECnet parser
+    - CVE-2017-12900 buffer over-read in the in several protocol parsers
+    - CVE-2017-12901 buffer over-read in the EIGRP parser
+    - CVE-2017-12902 buffer over-read in the Zephyr parser
+    - CVE-2017-12985 buffer over-read in the IPv6 parser
+    - CVE-2017-12986 buffer over-read in the IPv6 routing header parser
+    - CVE-2017-12987 buffer over-read in the 802.11 parser
+    - CVE-2017-12988 buffer over-read in the telnet parser
+    - CVE-2017-12991 buffer over-read in the BGP parser
+    - CVE-2017-12992 buffer over-read in the RIPng parser
+    - CVE-2017-12993 buffer over-read in the Juniper protocols parser
+    - CVE-2017-12994 buffer over-read in the BGP parser
+    - CVE-2017-12996 buffer over-read in the PIMv2 parser
+    - CVE-2017-12998 buffer over-read in the IS-IS parser
+    - CVE-2017-12999 buffer over-read in the IS-IS parser
+    - CVE-2017-13000 buffer over-read in the IEEE 802.15.4 parser
+    - CVE-2017-13001 buffer over-read in the NFS parser
+    - CVE-2017-13002 buffer over-read in the AODV parser
+    - CVE-2017-13003 buffer over-read in the LMP parser
+    - CVE-2017-13004 buffer over-read in the Juniper protocols parser
+    - CVE-2017-13005 buffer over-read in the NFS parser
+    - CVE-2017-13006 buffer over-read in the L2TP parser
+    - CVE-2017-13007 buffer over-read in the Apple PKTAP parser
+    - CVE-2017-13008 buffer over-read in the IEEE 802.11 parser
+    - CVE-2017-13009 buffer over-read in the IPv6 mobility parser
+    - CVE-2017-13010 buffer over-read in the BEEP parser
+    - CVE-2017-13012 buffer over-read in the ICMP parser
+    - CVE-2017-13013 buffer over-read in the ARP parser
+    - CVE-2017-13014 buffer over-read in the White Board protocol parser
+    - CVE-2017-13015 buffer over-read in the EAP parser
+    - CVE-2017-13016 buffer over-read in the ISO ES-IS parser
+    - CVE-2017-13017 buffer over-read in the DHCPv6 parser
+    - CVE-2017-13018 buffer over-read in the PGM parser
+    - CVE-2017-13019 buffer over-read in the PGM parser
+    - CVE-2017-13020 buffer over-read in the VTP parser
+    - CVE-2017-13021 buffer over-read in the ICMPv6 parser
+    - CVE-2017-13022 buffer over-read in the IP parser
+    - CVE-2017-13023 buffer over-read in the IPv6 mobility parser
+    - CVE-2017-13024 buffer over-read in the IPv6 mobility parser
+    - CVE-2017-13025 buffer over-read in the IPv6 mobility parser
+    - CVE-2017-13026 buffer over-read in the ISO IS-IS parser
+    - CVE-2017-13027 buffer over-read in the LLDP parser
+    - CVE-2017-13028 buffer over-read in the BOOTP parser
+    - CVE-2017-13029 buffer over-read in the PPP parser
+    - CVE-2017-13030 buffer over-read in the PIM parser
+    - CVE-2017-13031 buffer over-read in the IPv6 fragmentation header parser
+    - CVE-2017-13032 buffer over-read in the RADIUS parser
+    - CVE-2017-13033 buffer over-read in the VTP parser
+    - CVE-2017-13034 buffer over-read in the PGM parser
+    - CVE-2017-13035 buffer over-read in the ISO IS-IS parser
+    - CVE-2017-13036 buffer over-read in the OSPFv3 parser
+    - CVE-2017-13037 buffer over-read in the IP parser
+    - CVE-2017-13038 buffer over-read in the PPP parser
+    - CVE-2017-13039 buffer over-read in the ISAKMP parser
+    - CVE-2017-13040 buffer over-read in the MPTCP parser
+    - CVE-2017-13041 buffer over-read in the ICMPv6 parser
+    - CVE-2017-13042 buffer over-read in the HNCP parser
+    - CVE-2017-13043 buffer over-read in the BGP parser
+    - CVE-2017-13044 buffer over-read in the HNCP parser
+    - CVE-2017-13045 buffer over-read in the VQP parser
+    - CVE-2017-13046 buffer over-read in the BGP parser
+    - CVE-2017-13047 buffer over-read in the ISO ES-IS parser
+    - CVE-2017-13048 buffer over-read in the RSVP parser
+    - CVE-2017-13049 buffer over-read in the Rx protocol parser
+    - CVE-2017-13050 buffer over-read in the RPKI-Router parser
+    - CVE-2017-13051 buffer over-read in the RSVP parser
+    - CVE-2017-13052 buffer over-read in the CFM parser
+    - CVE-2017-13053 buffer over-read in the BGP parser
+    - CVE-2017-13054 buffer over-read in the LLDP parser
+    - CVE-2017-13055 buffer over-read in the ISO IS-IS parser
+    - CVE-2017-13687 buffer over-read in the Cisco HDLC parser
+    - CVE-2017-13688 buffer over-read in the OLSR parser
+    - CVE-2017-13689 buffer over-read in the IKEv1 parser
+    - CVE-2017-13690 buffer over-read in the IKEv2 parser
+    - CVE-2017-13725 buffer over-read in the IPv6 routing header parser
+  * Dropped patch tcpdump-reverted-test-scripts-fix.patch
+
 -------------------------------------------------------------------
 Wed Aug 23 13:51:30 UTC 2017 - pmonrealgonzalez@suse.com

--- a/tcpdump.spec
+++ b/tcpdump.spec
@ -18,7 +18,7 @@

 %define min_libpcap_version 1.8.1
 Name:           tcpdump
-Version:        4.9.1
+Version:        4.9.2
 Release:        0
 Summary:        A Packet Sniffer
 License:        BSD-3-Clause
@ -28,8 +28,8 @@ Source:         http://www.tcpdump.org/release/%{name}-%{version}.tar.gz
 Source1:        tcpdump-qeth
 Source2:        http://www.tcpdump.org/release/%{name}-%{version}.tar.gz.sig
 Source3:        http://www.tcpdump.org/tcpdump-workers.asc#/%{name}.keyring
-# PATCH-FIX-UPSTREAM tcpdump-reverted-test-scripts-fix.patch
-Patch0:         tcpdump-reverted-test-scripts-fix.patch
+# PATCH-FIX-OPENSUSE tcpdump-ikev2pI2.patch - disabled failing test
+Patch0:         tcpdump-ikev2pI2.patch
 BuildRequires:  libpcap-devel >= %{min_libpcap_version}
 BuildRequires:  libsmi-devel
 BuildRequires:  openssl-devel
@ -42,7 +42,7 @@ ethernet. It can be used to debug specific network problems.

 %prep
 %setup -q
-%patch0 -p1 -R
+%patch0 -p1

 %build
 export CFLAGS="%{optflags} -Wall -DGUESS_TSO -fstack-protector -fno-strict-aliasing"